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[57] ABSTRACT 

A method and apparatus for securely writing confidential 
data from an issuerer to a customer smart card at a remote 
location includes, establishing a communication link 
between a retailer data terminal device at the remote location 
and the issuer's secure computer. A communication link is 
established between a secure terminal device, which 
includes a smart card reader/writer, and the data terminal 
device. The retailer is authenticated to the issuer and the 
issuer to the retailer by means of a retailer smart card 
presented to the secure terminal device. A session key is 
established for enciphering data traffic between the secure 
terminal device and the issuer's computer using the retailer 
smart card. The customer smart card is presented to the 
secure terminal device. Confidential customer data is enci- 
phered using the session key and it is written from the 
issuer's computer to the customer smart card. 

10 Claims, 4 Drawing Sheets 
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METHOD AND SYSTEM FOR SECURE, 
DECENTRALIZED PERSONALIZATION OF 

SMART CARDS 



TECHNICAL FIELD 

This invention concerns a method for securely writing 
confidential data to smart cards in remote, insecure loca- 
tions. In a second aspect the invention concerns a system for 
securely writing the confidential data. Smart Cards are used 
as a highly-secure means of storing data in a portable form. 
They are of particular use, for example, in cryptographic 
applications for the storage of cipher keys. 



BACKGROUND OF THE INVENTION 

When a smart card is manufactured, the manufacturer 
'burns in' a unique identifying serial number. In addition the 
manufacturer installs a manufacturer's 'Master' Secret 
Code. 

The card and the Master Secret Code are subsequently 
conveyed to the Issuer by separate means. Upon receipt by 
the Issuer the card is accessed by presenting the Master 
Secret Code and that code is then changed to a fresh 4 Issuer' 
Secret Code not known to the manufacturer. One or more 
User Secret Codes are then stored in the card and used to 
protect access to confidential user data. Initial user data may 
then be stored in the card. The card and the User Secret 
Code(s) are ultimately conveyed to a user by separate 
means, and the appropriate User Secret Code(s) must be 
correctly presented to the smart card by the user, before 
access to the card is allowed. 

The process of presentation of the Master Secret Code, 
storage of the Issuer Secret Code, storage of the User Secret 
Codes, and initial storage of user data, is commonly called 
Personalisation, and is traditionally done in a secure "Per- 
sonalisation Centre" by the Issuer. This approach is costly, 
time-consuming and relatively insecure. 
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SUMMARY OF THE INVENTION 

According to the present invention, as currently envis- 
aged, there is provided a method for securely writing con- 45 
fidential data from an Issuer to a customer smart card at a 
remote location, comprising the steps of: 
establishing a communications link between a retailer data 

terminal device at the remote location and the Issuer's 

secure computer; 50 
establishing a communications link between a secure termi- 
nal device, which includes a smart card reader/writer, and 

the data terminal device; 
authenticating the retailer to the Issuer and the Issuer to the 

retailer, by means of a retailer smart card presented to the 55 

secure terminal device; 
establishing a session key for enciphering data traffic 

between the secure terminal device and the Issuer's 

computer, using the retailer smart card; 
presenting the customer smart card to the secure terminal 60 

device; then 

enciphering the confidential data under the session key and 
writing it from the Issuer's computer to the customer 
smart card. 

Preferably the method includes the step of establishing a 65 
second session key for enciphering data traffic between the 
data terminal device and the Issuer's computer. 



Preferably the retailer is authenticated to the Issuer by 
entering a retailer secret code which is checked by the 
retailer smart card, then a cipher key is read from the retailer 
smart card to the secure terminal device and checked by a 
challenge sent by the Issuer. Optionally the Issuer is subse- 
quently authenticated to the retailer using a cipher key which 
is read from the retailer smart card to the secure terminal 
device and used to challenge the Issuer. 

Preferably the session keys are established by using a 
cipher key to encrypt the combined product of two random 
numbers, one of which was generated by the first party and 
sent to the second party, the other of which was generated by 
the second party and sent to the first party. 

Advantageously the confidential data is an Issuer Secret 
Code present in the customer smart card to prevent access to 
the card, and required to open the card to accept data. 

Preferably the confidential data comprises a directory and 
file structures, and data. 

According to a further aspect of the invention, as currently 
envisaged, there is provided a system for securely writing 
confidential data from an Issuer to a customer smart card in 
a remote location, comprising: 

the Issuer's secure computer; 

a retailer data terminal device at the remote location 
selectively in communication with the computer by 
means of a communications link; 

a secure terminal device at the remote location, including 
a smart card reader/writer, selectively in communica- 
tion with the computer via the data terminal device; 

a retailer smart card containing the data required to 
authenticate the retailer to the Issuer and the Issuer to 
the retailer, and the data required to establish a session 
key for enciphering traffic between the secure terminal 
device and the Issuer's computer; 

a customer smart card able to accept the confidential data, 
when presented to the secure terminal device, written 
from the computer enciphered under the session key. 
Preferably the retailer smart card also contains the data 
required to establish a second session key for enciphering 
traffic between the data terminal device and the Issuer's 
computer. 

Preferably the confidential data is an Issuer Secret Code, 
present in the customer smart card to prevent access to the 
card, and required to open the card to accept data 

This method and system permit personalisation of the 
smart card at a location convenient to the customer, such as 
the point of sale of the item, or service, with which the smart 
card is subsequently to be used. Such locations are unlikely 
to be secure, may be widely dispersed from any central 
administrative centre, and may be operated by staff who do 
not work for the Card Issuer. Furthermore the method 
provides a decentralised personalisation service in a manner 
that ensures the security of all confidential data transferred 
between components of the system. 

As smart cards are used more widely in mass consumer 
applications such as mobile telephony and Pay TV, the high 
volume of smart cards issued, and the widely dispersed 
customer population will make decentralised personalisation 
highly cost-effective and competitive. 

Once the infrastructure for a decentralised personalisation 
system is in place, it can be used for securely loading data 
other than personalisation data into previously personalised 
smart cards. 
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BRIEF DESCRIPTION OF THE DRAWING 

FIG. 1 is a schematic diagram showing the relationships 
between the components of a system according to the 
invention. 

5 

FIG. 2 is a schematic flow chart showing the steps of the 
method of writing confidential information from an issuer's 
secure computer to a customer smart card at a remote 
location up to authentication of the retailer; 

FIG. 3 is a schematic flow chart showing the steps of the io 
method of writing confidential information from an issuer's 
secure computer to a customer smart card at a remote 
location up to enciphered data transfer between the customer 
smart card and the secure computer; and 

FIG. 4 is a block diagram of the secure terminal device 15 
STE7. 

DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

Method and system 1 involve the interaction of three 20 
entities: 

The Issuer 2 is the organisation which ultimately provides 
the goods or services that are obtained through the use of the 
customer smart card. It is responsible for the system as a 
whole, for the purchase of smart cards, and for their supply 25 
to Retailers. This organisation could be the central office of 
a bank, or a telecommunications operator, for example. 

The Retailer 3 is the institution which represents the 
Issuer 2 in a particular local area It could be a bank branch, 
or a newsagent, for example. 30 

The Customer 4 is the end-user of the service, and the 
holder of the smart card that gives access to that service. 

The elements involved in the process of decentralised 
personalisation are: 35 
A Central Administration System 5 (ADS). 

A computer system in a secure location that is equipped 
to communicate by telecommunications links with the other, 
remotely sited, components of the system. These links are 
assumed to be insecure. The system 5 also includes a secure 40 
database of Retailer Keys. 
A Data Terminal Device 6 (DTD). 

A small computer system (such as a Personal Computer) 
located in the Retailer's premises. It is equipped to commu- 
nicate, by a telecommunications link, with the Central 45 
Administration System. This system is not considered to be 
secure by the Issuer. 
A Secure Terminal Device 7 (STE). 

A tamper-resistant, programmable device comprising a 
numeric and function keypad, a display, and a smart card 50 
reader/writer. It communicates with the Data Terminal 
device 6 by a serial communications link. 

FIG. 4 is a block diagram of the secure terminal device 
STC7. That device includes a tamper-resistant program- 
mable device 90 which in turn receives information from a 55 
key pad 92, displays information on a display 94 and is 
coupled to a smart card read/writer 96. It communicates with 
a data terminal device DTE6 via a serial communications 
link. 

Smart Cards or Integrated Circuit Cards (ICC). 60 

These are read and written to by the Secure Terminal 
device. Two categories of smart card are used within the 
system: 

Retailer Cards 8 

65 

Each Retailer is issued with one Retailer Card, which has 
already been securely personalised by the Issuer. It 



4 

contains the data required to gain access to, and use, the 
system. This data is protected from access by several 
Secret Codes, some known only to the Retailer, and 
some known only to the Central Administration Sys- 
tem. 

Customer Smart Cards 9 

These are the smart cards that will be issued by the 
Retailer 3 to his Customers 4. They are held in stock 
in an unpersonalised state, exactly as they were 
shipped from the card manufacturer. 
The operation of the method and system will be described 

by analysing each phase in the personalisation of a Customer 

smart card from the perspective of the Retailer. These phases 

are identified as: 

Session Establishment; 

Personalisation of Customer Smart Card; 

Session Termination; 

Modification of Data on Customer Smart Cards. 

In general, there are several different operations involved 
in each phase. 
Session Establishment 

1) Retailer System Startup 

On startup, the Data Terminal device sets up a commu- 
nications link with the Central Administration System. This 
link is used for all future communications between the 
Central Administration System and the Data Terminal 
device. 

2) Retailer Sign-On 

. Once the communications link is established, the Retailer 
is prompted to insert his Retailer Card in the Secure Termi- 
nal device. The Retailer is then prompted by the Secure 
Terminal device to enter his personal Secret Code which is 
passed directly to the smart card for checking. 

3) Retailer Authentication 

If the check of the Retailer's Secret Code succeeds, the 
Secure Terminal device reads a unique unprotected, read- 
only serial number from the smart card, and sends it to the 
Central Administration System via the Data Terminal 
device. Thus the Administration System knows which smart 
card is in use. 

The Secure Terminal device then reads a unique cipher 
key out of a file on the smart card which was set up during 
personalisation so that it can only be read after the Retailer's 
Secret Code has been correctly presented. 

The Central Administration. System then sends a random 
number (a challenge) to the Secure Terminal device, via the 
Data Terminal device. The Secure Terminal device enciphers 
the challenge using the cipher key read from the smart card 
and sends the result (the response) back to the Central 
Administration System. Since the Central Administration 
System maintains a record of the keys held on every Retailer 
Card issued, it is able to validate the response by also 
enciphering the random number challenge using the same 
cipher key, and comparing the result with the response 
received from the Secure Terminal device. If the two values 
are identical, the Retailer has successfully authenticated 
himself to the Central Administrative System. 

With respect to FIG. 2, a retailer small card CI is inserted 
into the secure terminal device. In a step 20, the retailer 
enters a personal security code which in a step 22 is 
compared to a secret code read from the retailer card CI in 
a step 24. If the codes do not correspond, the terminal rejects 
the card CI in a step 26. If the two codes do correspond, the 
terminal issues an unlock command in a step 28 and reads 
a unique, unprotected, read-only serial number from the card 
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CI in a step 30 and transmits that number to the issuer's the smart card is then communicated to the Central Admin- 
secure computer. In a step 32 the issuer's secure computer istration System, either by the Retailer entering identifying 
retrieves a cipher key 34 associated with the serial number information into the Data Terminal device, or by the Secure 
of the card CI and in a random number generator 36 Terminal device reading a Serial Number out of the smart 
generates a random number RN1. The random number RN1 5 card and sending it to the Central Administration System, 
is then enciphered in a step 38. The random number RN1 is 9) Presentation of Manufacturer's Master Secret Code 
also transmitted to the secure terminal device and is enci- At this stage, the smart card is protected from general 
phered in a step 40 using a cipher key 42 carried by the smart access by a unique Master Secret Code written into it by the 
card CI. The enciphered output from the secure terminal manufacturer. The method by which the Master Secret Code 
device is then transmitted back to the secure computer and 10 can be computed for any smart card in a batch will have been 
compared in a step 44 to the output of the local enciphering separately communicated to the Card Issuer. In order to gain 
step 38. If there is no match, the transaction will be rejected access to the smart card, its Master Secret Code must be 
in a step 46. If there is a match, the retailer will be presented and this is done by computing the Master Secret 
authenticated in a step 48. Code in the Central Administration System then sending it 

4) Issuer Authentication 15 to the Secure Terminal device, enciphered under the Central 
Authentication of the Retailer only provides part of the Administration System-Secure Terminal device session key 

security needed. It is equally important to ensure that the 10. In the Secure. Terminal device, it is deciphered and 

Central Administration System is authentic. This is achieved presented to the smart card. This has the effect of opening up 

by performing an enciphered challenge-response in the the smart card for further accesses, 

reverse direction using a random data challenge generated 20 10) Smart Card Set Up 

within the Secure Terminal device, and using a key read Once the smart card has been "opened" by presentation of 

from the Retailer Card. If me Central Administration System the Master Secret Code, it can be set up to meet the 

is authentic, it will also have a record of this key, and will Customer's and Issuer's requirements. This involves creat- 

be able to encipher the challenge and send back the correct ing various data structures on the smart card, and writing 

response. 25 appropriate data to them, and to other locations on the smart 

5) Establishment of Session Keys card. All instructions on the manner in which the smart card 
Once both the Central Administration System and the is to be set up are sent from the Central Administration 

Retailer System have authenticated each other, they can System enciphered under the Central Administration Sys- 

mutually establish session keys for enciphering future data tern-Secure Terminal device session key 10. Similarly, all 

traffic between them. This is done by one party sending the 30 data written to the smart card are sent from the Central 

other a random number. Both parties then combine these two Administration System enciphered under the Central 

numbers together (for example, by exclusive ORing them) Administration System-Secure Terminal device session key 

and encipher the result, using a key known only to them, to 10. 

produce a new number — the Session Key. Future data traffic 1 1) Entry of Customer Secret Code 

can then be enciphered using this session key. Whenever the 35 At this point, the Customer may be required to enter the 

session is terminated, and a new one started, new random Secret Code he will subsequently use to protect access to his 

numbers are used, resulting in a new session key. personal data held on the smart card. He is prompted on the 

Two session keys are required for securing communica- Secure Terminal device display to enter his Customer Secret 

tion between the different components of the system, one 10 Code, and does so using the Secure Terminal device's 

between the Secure Terminal device 7 and the Central 40 keypad. This ensures that nobody else, not even the Retailer, 

Administration System 5 and a second, optional, key 11 knows his Secret Code, The entered Secret Code is written 

between the Data Terminal device 6 and the Central Admin- to the smart card where it is securely stored to be used by the 

istration System 5. By using different session keys, tight smart card microprocessor to validate future presentations of 

security can be maintained because intermediate parties in the Customer Secret Code. 

an exchange of messages between two parties are not privy 45 With respect to FIG. 3, the issuer is first authenticated. In 

to the contents of the messages they are simply passing on. a step 52, at the issuer's secure computer, a cipher key 

6) Collection and Transmission of Customer Details associated with the serial number which had been previously 
The Retailer may now obtain from the Customer any received in step 32, is determined. The associated cipher key 

personal data required by the Central Administration System is retrieved in a step 52. The secure terminal device in a step 

before personalisation of a Customer smart card can pro- 50 54 uses a random number generator to generate a random 

ceed. This data may be entered into the Data Terminal number RN2, This random number is transmitted to the 

device, enciphered under the Data Terminal device-Central issuer's secure computer and enciphered in a step 56. It is 

Administration System session key 11 (to protect the con- also enciphered at the secure terminal device in a step. 58. 

fidentiality of the Customer data in transit over the link), and The issuer's secure computer transmits the enciphered result 

sent to the Central Administration System. 55 from the step 56 to the secure terminal device which 

7) Assessment of Customer Data compares in a step 60 that received enciphered result to the 
If appropriate, the Central Administration System now locally generated enciphered result, from the step 58. If there 

checks the Customer data (for example, runs a credit check), is no match, the attempt at authentication of the issuer is 

and determines whether or not personalisation of a Customer rejected in a step 62. In the event in a step 60 the two 

smart card may proceed. The decision is communicated to 60 enciphered codes match, in a step 64, the terminal authen- 

the Retailer via the Data Terminal device. ticates the issuer. Once the issuer's secure computer has 

Personalisation of Customer smart card been authenticated at the secure terminal device, a session 

8) Selection of Customer smart card key can be established. A random number generator 70, at 
If the Central Administration System allows personalisa- the issuer's secure computer, generates a random number 

tion to proceed, the Retailer removes his Retailer Card from 65 RN3 and transmits same to the secure terminal device. Using 

the Secure Terminal device, selects a smart card from stock, a common key 72 associated with the retailer smart card CI 
and inserts it in the Secure Terminal device. The identity of present at the issuer's secure computer, the common key and 
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the random number RN3 along with another random num- 
ber, RN4 received from the secure terminal device, gener- 
ated in a step 78, are enciphered to produce a session key. 
Similarly, at the secure terminal device in a step 76, the 
locally generated random number RN4 along with the 5 
received random number RN3 and the common key from the 
retailer smart card CI are enciphered in the step 76 to 
produce the session key at the secure terminal device. As is 
apparent from FIG. 3, a session key is required at the secure 
terminal device as well as to the issuer's secure computer. 
Information in steps 80, 82 can be transmitted between the 
customer's smart card, C2 and the issuer's secure computer 
after enciphering and deciphering using the session key. This 
is a bidirectional data transmission. 
Session Termination 

12) Customer Smart Card Handover 15 
The Customer may now remove his smart card from the 

Secure Terminal device and begin to use it. 

13) Termination of Communications Session 

The communications session with the Central Adminis- 
tration System is now terminated, which involves erasure of 20 
all session keys that were being used. 

14) Breaking of Communications Link 

The communications link with the Central Administration 
System may now be broken, or left open for use in the 
personalisation of other smart cards. 
Modification of Data on Customer smart cards 

There may be a need to modify some of the secure data 
on the Customer's smart card, at some stage after person- 
alisation. This can be accomplished by using exactly the 
same method, but varying the data that is written to the 30 
Customer smart card during the "Smart Card Set Up" step. 

With respect of FIG. 4, the secure terminal device STE7 
includes a tampcr-rcsistant programmable device 90 which 
in turn receives information from a key pad 92, displays 
information on a display 94 and is coupled to a smart card 35 
read/writer 96. It communicates with a data terminal device 
DTE6 via a serial communications link. 
An Example of Practical Implementation 

To take a specific example, the GSM digital mobile 
telephone network relies upon smart cards called Subscriber 40 
Identity Modules (SIMs), inserted in mobile telephone hand- 
sets to authenticate users as valid subscribers to the network. 
It also subsequently uses the Subscriber Identity Module to 
generate a different session key for each phone call made. 
This session key is used to encipher all data, such as voice 45 
data, transmitted from, and to, that mobile telephone during 
that call. In order to operate, therefore, each Subscriber 
Identity Module must be individually initialised to contain 
unique, identifying information and cryptographic keys 
prior to issue to a subscriber. 

Each Retailer is provided with the following: 

a Personal Computer (Data Terminal device); 

a secure, tamper-resistant PIN pad (Secure Terminal 
device), which incorporates a smart card reader, 55 

a Retailer smart card, already personalised by the Issuer 
and set up to contain: 

a Retailer Secret Code known only to the Retailer; 
cipher keys known only to the Issuer, in a file protected' 

by an Issuer Secret Code from general access; 60 
a stock of unpersonalised blank Subscriber Identity 
Modules, that are protected from general access by a 
Manufacturing Secret Code. 
When a prospective new Subscriber to the network 
approaches the Retailer to open a subscription, the Retailer 65 
establishes a communications link with the Central Admin- 
istration System, using his Retailer smart card to authenti- 



50 



cate himself, and to authenticate the Central Administration 
System, and to establish session keys between the Secure 
Terminal device and Central Administration System, and 
between the Data Terminal device and Central Administra- 
tion System. 

The Retailer then enters the new Subscriber's personal, 
and financial details into the Data Terminal device, where 
they are enciphered using the Central Administration Sys- 
tem-Data Terminal device session key and sent to the 
Central Administration System. In the Central Administra- 
tion System, the details are deciphered and used to run a 
credit check on the new Subscriber. If this is successful, the 
Retailer is notified, by means of an enciphered message sent 
from the Central Administration System to the Data Termi- 
nal device, that personalisation can proceed. 

The Retailer selects a Subscriber Identity Module from 
his stock, depending on Subscriber preference, and the type 
of mobile telephone the Subscriber will use. He inserts the 
Subscriber Identity Module in the Secure Terminal device 
and the personalisation data is sent from the Central Admin- 
istration System, enciphered under the Central Administra- 
tion System-Secure Terminal device session key. This data 
is deciphered in the Secure Terminal device before being 
written to the Subscriber Identity Module. This data includes 
instructions on the directory and file structures to be set up 
in the Subscriber Identity Module, as well as the information 
that is to be written to certain of these files, and to other 
locations in the Subscriber Identity Module. Data of par- 
ticular note that is written to the Subscriber Identity Module 
at this time is: 

the Subscriber's unique International Mobile Subscriber 

Identification (IMSI) number; 
the authentication key (Ki); 

the Subscriber Identity Module Service Table, which defines 
which of the available network services the Subscriber 
has actually accepted; 
the PLMN Selector, which sets up an initial order of 
preference for the selection of network, when the Sub- 
scriber is out of range of his home network. 
Once the Subscriber Identity Module has been set up, the 
Subscriber may enter his PIN Code (which will be his 
personal Secret Code protecting access to the Subscriber 
Identity Module) into the Secure Terminal device, which 
writes it to the Subscriber Identity Module. He may also 
enter his PIN unblocking key which is also written to the 
Subscriber Identity Module for use in the event the user 
forgets his PIN code. 

The telephone number of the Subscriber is then commu- 
nicated, enciphered under the Central Administration Sys- 
tem-Data Terminal device session key, from the Central 
Administration System to the Data Terminal device. The 
Retailer informs the Subscriber of the number, prints out a 
record of the entire transaction, and hands the new Sub- 
scriber his Subscriber Identity Module. The Subscriber is 
then in a position to use the network. 

At this point all communications sessions are terrninated 
by the erasure of the session keys and the communications 
link may be broken. 

Since all information written to the Subscriber Identity 
Module originated from the Central Adrninistration System, 
the Central Administration System holds a complete record 
of what is stored on the Subscriber Identity Module, as well 
as personal, financial and other Subscriber information. It is 
therefore able to route calls to the Subscriber, allocate 
charges correctly as they are incurred, and issue bills. 
We claim: 

1. A method for securely writing confidential data from 
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issuer's secure computer to a customer smart card presented 
to a secure terminal device with smart card reader/writer 
connected to a retailer's data terminal device at a remote 
location, including the steps of: 

(a) establishing a communications link between the data 5 
terminal device and the secure computer; 

(b) authenticating the retailer to the issuer by: 

(i) presenting a retailer smart card to the secure termi- 
nal device reader/writer and establishing access to 
information stored in the smart card by entering a 10 
retailer secret code into the secure terminal device to 
unlock the retailer smart card 

(ii) reading data from the unlocked retailer smart card 
and sending only information pertaining to the iden- 
tity of the retailer smart card to the secure computer; 15 

(iii) generating and sending from the secure computer 
a first random number to the secure terminal device; 

(iv) enciphering the first random number at the secure 
terminal device using a cipher key read from the 
unlocked retailer smart card, the cipher key having a 20 
value unrelated to the retailer secret code, and send- 
ing the enciphered first random number back to the 
secure computer; 

(v) comparing the retailer smart card identification data 
with data stored in the secure computer to identify 25 
the retailer smart card, then retrieving a cipher key 
stored in the secure computer associated with the 
identification data and enciphering the first random 
number with the cipher key; and 

(vi) comparing the enciphered first random number 30 
received from the secure terminal device with the 
enciphered first random number generated in the 
secure computer to authenticate the retailer when the 
values of the enciphered first random numbers are 
identical; 35 

(c) establishing a mutual session key for enciphering data 
transfer between the secure terminal and the secure 
computer after authentication of the retailer to the 
issuer has been effected, the mutual session key being 
generated by using a common key stored in the secure 40 
computer and the retailer smart card; 

(d) retrieving the retailer smart card and subsequently 
presenting the customer smart card to the secure ter- 
minal device; 

45 

(e) enciphering at the secure computer, the confidential 
data to be written to the customer smart card using the 
mutual session key and sending the enciphered confi- 

. dential data to the secure terminal device; and 

(f) deciphering at the secure terminal device, the enci- 50 
phered confidential data using the mutual session key 
and writing the confidential data on to the customer 
smart card. 

2. A method according to claim 1 including, after step (b), 
the step of 55 

(g) authenticating the issuer to the retailer by performing 
an enciphered challenge-response including: 

(i) generating at the secure terminal device a second 
random number, sending the second random number 

to the secure computer, and enciphering the second 60 
random number using a cipher key read from the 
unlocked retailer smart card; 

(ii) using the identification data of the retailer smart 
card, for the purpose of retrieving the cipher key 
stored in the secure computer associated with the 65 
identification data, enciphering the second random 
number using the cipher key and sending: the enci- 
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phered second random number back to the secure 
terminal device; and 
(iii) comparing the enciphered second random number 
received from the secure computer with the enci- 
phered second random number generated in the 
secure terminal device to authenticate the issuer 
when the values of the enciphered second random 
numbers are identical. 

3. A method according to claim 1 or claim 2, wherein the 
session key is established by the secure computer generating 
and sending a first random number to the secure terminal 
device, the secure terminal device generating a second 
random number and sending the second random number to 
the secure computer, the secure computer and the secure 
terminal device each enciphering the combined product of 
the two random numbers using the common key stored in the 
secure computer and the retailer smart card to generate the 
session key. 

4. A method according to claim 1, wherein the confiden- 
tial data to be written on the customer smart card is an issuer 
secret code which enables locking and unlocking of the 
customer smart card, the issuer secret code being required to 
unlock the card to accept data. 

5. A method according to claim 4, wherein the data also 
comprises a directory and file structures and other consumer 
specific data. 

6. A method according to claim 1, wherein a second 
session key is established for enciphering traffic between the 
data terminal device and the issuer's secure computer in a 
manner analogous to the establishment of the session key for 
enciphering traffic between the secure terminal device and 
the secure computer. 

7. A system for securely writing confidential data from an 
issuer to a customer smart card in a remote location com- 
prising: 

an issuer* s secure computer containing data pertaining to 
the identification of a plurality of retailer smart cards 
and respective associated cipher keys; 

a retailer data terminal device at the remote location 
selectively in communication with the secure computer 
by means of a communications link; 

a secure terminal device at the remote locating including 
a smart card reader/writer, selectively in communica- 
tion with the secure computer via the data terminal 
device; 

a retailer smart card containing data required to authen- 
ticate the retailer to the issuer including a retailer secret 
code to enable unlocking of the smart card upon 
positive comparison, with a secret code inputted into 
the secure terminal device, data pertaining to the iden- 
tity of the smart card, a cipher key to encipher an 
authentication challenge generated by the secure com- 
puter and sent to the secure terminal device, and data 
required to establish a session key for enciphering 
traffic between the secure terminal device and the 
secure computer including a common cipher key stored 
in the retailer smart card and the secure computer; and 

a customer smart card able to accept the confidential data, 
when presented to the secure terminal device, sent from 
the computer to the secure data terminal after being 
deciphered using the session key. 

8. A secure terminal which can be coupled to a remote 
computer, and a data link, intended for use with first and 
second, different, authorization cards comprising: 

a programmed processor; 

an input device coupled to said processor, and 
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a card reader/write coupled to said processor wherein said 
processor includes means for reading a first indicium 
from a first card and a second indicium entered via said 
input device and for comparing same, said processor 
including means, responsive to said comparing for s 
reading a third, identifying, indicium from said first 
card and for transmitting same to the remote computer 
and for receiving a random number response from the 
remote computer, associated with said identifying indi- 
cium, and for reading a fourth, key indicium from the 10 
first card for combining said random numeric response 
with said key indicium thereby producing an enci- 
phered random numeric response sent to the remote 
computer for authentication, wherein said processor 
includes means for establishing a different transaction 
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enciphering key in response to said authentication and 
wherein said processor includes means for reading a 
second card and for authorizing transactions using said 
transaction key and an identifying indicium carried by 
said second card and not entered by said input device. 

9. A terminal as in claim 8 wherein said processor 
includes means for entering onto said second card a user 
specified identifying indicium different from said transac- 
tion enciphering key. 

10. A terminal as in claim 8 wherein said processor 
includes means for terminating communication with the 
remote computer and wherein said transaction enciphering 
key is erased in response to said termination. 

$ * * * * 
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